From: PIENTKA, JOE (WF) (FBI) <JPIENTKA@fbi.sgov.gov> 

Sent: Thursday, August 4, 2016 9:08 AM 

To: GESSFORD, BENJAMIN E. (CV) (FBI) <BEGESSFORD@fbi.sgov.gov>; HEIDE, 
CURTIS A. (CG) (FBI) <CAHEIDE@fbi.sgov.gov>; SOMMA, STEPHEN M. (NY) 
(FBI) <SMSOMMA @fbi.sgov.gov> 

Subject: FW: Washington Post article on Fancy Bear and Cozy Bear --- UNCLASSIFIED 

Attach: WP article.docx 


Classification: UNCLASSIFIED 


You may have already read this. Just going through old — possibly pertinent emails. 


Joe 


From: PIENTKA, JOE (WF) (FBI) 

Sent: Wednesday, June 15, 2016 8:15 AM 

To: AHLBERG, NICOLE (WF) (FBI); ALLAN, WILLIAM N. (WF) (FBI); DANIEL, EREK (WF) (FBI); DIPRONIO, ROSS (WF) 
(FBI); HERBERT, STEPHANIE A. (WF) (FBI); KENNELLY, CARMELA D (WF)(FBI); KIRKLAND, SETH I. (WF) (FBI); KLINE, 
WARREN W (WF)(OGA); KREIZENBECK, MICHAEL J. (WF) (FBI); MIKUSKA, MATTHEW J. (WF) (FBI); MIOSSI, 
CATHERINE B. (WF) (FBI); RANDAL, KATE E. (WF) (FBI); SLOAN, NICHOLAS D. (WF) (FBI); TARVIN, TIMOTHY P. (WF) 
(FBI); WALTERS, MICHAEL S. (WF) (FBI); YOUNG, JARED (WF) (FBI) 

Cc: STARK, CHRISTOPHER M. (CD) (FBI); MILLER, PAUL V. (CD) (FBI); CASEY, LAURA C. (CD) (FBI); CHRISSAFIS, 
PIERRE G. (CD) (FBI) 

Subject: FW: Washington Post article on Fancy Bear and Cozy Bear --- UNCLASSIFIED 

Importance: High 


Classification: UNCLASSIFIED 


Good read... 


From: FRASCH, JENNIFER J. (WF) (FBI) 

Sent: Tuesday, June 14, 2016 2:21 PM 

To: PIENTKA, JOE (WF) (FBI); MOHAJERIN, THATCHER (WF) (FBI); DIPRONIO, ROSS (WF) (FBI); TURNER, ROBERT 
(WF) (FBI) 

Subject: FW: Washington Post article on Fancy Bear and Cozy Bear --- UNCLASSIFIED 

Importance: High 


Classification: UNCLASSIFIED 


Hello — providing FYSA. 


Jennifer 


SSA Jennifer J. Frasch 


FBI-DWS-12-0002098 
SCO-011627 


No. 1:21-cr-00582-CRC (D.D.C.) DX-123 0001 


Computer Intrusion Program Coordinator 
Russian Cyber Intrusion Squad, CY-3 
Washington Field Office, NVRA 


703-686-6710 (o) 


SEIS 295: (c) 


From: FELGAR, GRETCHEN (CYD) (FBI) 

Sent: Tuesday, June 14, 2016 12:04 PM 

To: HUBIAK, JOSHUA J. (PH) (FBI); WOODS, ADAM (PH) (FBI); STROUD, JASON R. (PH) (FBI); BYERS, JAMES D. (PH) 
(FBI); MATEVISH, KELSEY (PH) (FBI); WARE II, WILLIAM D. (AT) (FBI); HAWKINS, E ADRIAN (WF) (FBI); ANDERSON, 
JOEL T (CYD)(FBI); AVEDISIAN, ARMAN (CYD) (FBI); STEINBERG, EVAN R. (CYD) (FBI); WILSON, AMY E. (CYD) (FBI); 
WARE II, WILLIAM D. (AT) (FBI); THOMPSON, BRITTANY (AT) (FBI); JOHNSON, JOY L. (AT) (FBI); MIZELL, WANDA (AT) 
(FBI); BREED, ALEXANDRA S. (AT) (FBI); HENDRICKS, RICHARD C. (AT) (FBI); HAMMELL, DELYNN B. (SF) (FBI); 
MINAMI, DAVID A. (SF) (FBI); LOWMAN, SAMANTHA B. (SF) (FBI); HARRIS, WESLEY K. (LA) (FBI); THOMAS, DEREK C. 
(LA) (FBI); NAM, HYE M. (SF) (FBI) 

Cc: YEARWOOD, RONALD J. (CYD) (FBI); HOLT, JODA D. (CYD) (FBI); KOHLER, SHERI E. (CYD) (FBI); HUNT, CHAD 
(AT) (FBI); COTELLESSE, GERALD S. (PH) (FBI); FRASCH, JENNIFER J. (WF) (FBI); NAIL, MICHAEL A (CYD)(FBI); SYE II, 
GREGORY E. (CYD) (FBI); SAMPLE, RHONDA A (CYD)(FBI); BRYANT, DOUGLAS J. (CYD) (FBI); WALKER, CW R (CYD) 
(CON); CHEEKS II, JAMES E (CYD)(FBI); SCHORLE, CHRISTIAN J. (CYD) (FBI); WILSON, AMY E. (CYD) (FBI); CHAN, 
ELVIS M. (SF) (FBI); KRONE, MARY (AT) (FBI); ALLEN, CARRIE J. (SF) (FBI); WILK, FRANK E. (PH) (FBI) 

Subject: Washington Post article on Fancy Bear and Cozy Bear --- UNCLASSIFIED 

Importance: High 


Classification: UNCLASSIFIED 


XS IDA 

Gretchen Felgar 

Intelligence Analyst 

Eurasia Cyber Intelligence Unit || Mission Ridge 
Desk: 703-633-5671 


Mobile SE -8069 


C-assification: UNCLASSIFIED 


CLassification: UNCLASSIFIED 


FBI-DWS-12-0002099 
SCO-011628 


No. 1:21-cr-00582-CRC (D.D.C.) DX-123 0002 


National Security 


Russian government 
hackers penetrated 
DNC, stole opposition 
research on Trump 


The inside track on Washington politics. 


Be the first to know about new stories from PowerPost. Sign up to follow, and we'll e-mail you free 
updates as they're published. 

You'll receive free e-mail news updates each time a new story is published. 

You're all set! 

Sign up 

*Invalid email address 


Got it 
Got it 
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Russian goverment hackers penetrated the Democratic National Committee and had 
access to the DNC network for about a year, but all were expelled over the past weekend, 
Officials say. (Kacper Pempel/Reuters) 


By Ellen Nakashima 
National Security 


Russian government hackers penetrated the computer network of the 
Democratic National Committee and gained access to the entire database of 
opposition research on GOP presidential candidate Donald Trump, according 
to committee officials and security experts who responded to the breach. 


The intruders so thoroughly compromised the DNC’s system that they also 
were able to read all email and chat traffic, said DNC officials and the security 
experts. 


The intrusion into the DNC was one of several targeting American political 
organizations. The networks of presidential candidates Hillary Clinton and 
Donald Trump were also targeted by Russian spies, as were the computers of 
some GOP political action committees, U.S. officials said. But details on those 
cases were not available. 


A Russian Embassy spokesman said he had no knowledge of such intrusions. 


Some of the hackers had access to the DNC network for about a year, but all 
were expelled over the past weekend in a major computer cleanup campaign, 


the committee officials and experts said. 


The DNC said that no financial, donor or personal information appears to 
have been accessed or taken, suggesting that the breach was traditional 
espionage, not the work of criminal hackers. 


[Russian hackers breach some White House computers] 
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The intrusions are an example of Russia’s interest in the U.S. political system 
and its desire to understand the policies, strengths and weaknesses of a 
potential future president — much as American spies gather similar 


information on foreign candidates and leaders. 


The depth of the penetration reflects the skill and determination of the United 
States’ top cyber adversary as Russia goes after strategic targets, from the 
White House and State Department to political campaign organizations. 


“It’s the job of every foreign intelligence service to collect intelligence against 
their adversaries,” said Shawn Henry, president of Crowd Strike, the cyber firm 
called in to handle the DNC breach and a former head of the FBI’s cyber 
division. He noted that it is extremely difficult for a civilian organization to 
protect itself from a skilled and determined state such as Russia. 


^We're perceived as an adversary of Russia,” he said. “Their job when they 
wake up every day is to gather intelligence against the policies, practices and 
strategies of the U.S. government. There are a variety of ways. [Hacking] is 
one of the more valuable because it gives you a treasure trove of information.” 


Russian President Vladimir Putin has spoken favorably about Trump, who has 
called for better relations with Russia and expressed skepticism about NATO. 
But unlike Clinton, whom the Russians probably have long had in their spy 
sights, Trump has not been a politician for very long, so foreign agencies are 
playing catch-up, analysts say. 


“The purpose of such intelligence gathering is to understand the target’s 
proclivities,” said Robert Deitz, former senior councillor to the CIA director 
and a former general counsel at the National Security Agency. “Trump’s 
foreign investments, for example, would be relevant to understanding how he 
would deal with countries where he has those investments” should he be 
elected, Deitz said. “They may provide tips for understanding his style of 
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negotiating. In short, this sort of intelligence could be used by Russia, for 
example, to indicate where it can get away with foreign adventurism.” 


[Russian hackers target NATO, Ukraine in cyber-spy campaign] 


Other analysts noted that any dirt dug up in opposition research is likely to be 
made public anyway. Nonetheless, DNC leadership acted quickly after the 
intrusion’s discovery to contain the damage. 


“The security of our system is critical to our operation and to the confidence of 
the campaigns and state parties we work with,” said Rep. Debbie Wasserman 
Schultz (D-Fla.), the DNC chairwoman. “When we discovered the intrusion, 
we treated this like the serious incident it is and reached out to CrowdStrike 
immediately. Our team moved as quickly as possible to kick out the intruders 


and secure our network.” 


The Clinton campaign did not immediately respond to a request for comment. 
A spokeswoman for the Trump campaign referred questions to the Secret 


Service. 


DNC leaders were tipped to the hack in late April. Chief executive officer Amy 
Dacey got a call from her operations chief saying that their information 


technology team had noticed some unusual network activity. 


“Tt’s never a call any executive wants to get, but the IT team knew something 
was awry,” Dacey said. And they knew it was serious enough that they wanted 
experts to investigate. 


That evening, she spoke with Michael Sussmann, a DNC lawyer who is a 
partner with Perkins Coie in Washington. Soon after, Sussmann, a former 
federal prosecutor who handled computer crime cases, called Henry, whom he 
has known for many years. 
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Within 24 hours, CrowdStrike had installed software on the DNC’s computers 
so that it could analyze audit data that could indieate who had gained access, 
when and how. 


The firm identified two separate hacker groups, both working for the Russian 
government, that had infiltrated the network, said Dmitri Alperovitch, 
CrowdStrike co-founder and chief technology officer. The firm had analyzed 
other breaches by both groups over the last two years. 


One group, which CrowdStrike had dubbed Cozy Bear, had gained access last 
summer and was monitoring the DNC's email and chat communieations, 


Alperovitch said. 


The other, which the firm had named Fancy Bear, broke into the network in 
late April and targeted the opposition research files. It was this breach that set 
off the alarm. The hackers stole two files, Henry said. And they had aecess to 
the computers of the entire research staff — an average of about several dozen 
on any given day. 


The computers contained research going back years on Trump. “It’s a huge 
job" to dig into the dealings of somebody who has never run for office before, 
Dacey said. 


CrowdStrike is not sure how the hackers got in. The firm suspects they may 
have targeted DNC employees with “spearphishing” emails. These are 
communications that appear legitimate — often made to look like they came 
from a colleague or someone trusted — but that contain links or attachments 
that when clicked on deploy malicious software that enables a hacker to gain 
access to a computer. "But we don't have hard evidence," Alperovitch said. 


The two groups did not appear to be working together, Alperoviteh said. Fancy 
Bear is believed to work for the GRU, or Russia's military intelligence service, 
he said. CrowdStrike is less sure of whom Cozy Bear works for but thinks it 
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might be the Federal Security Service or FSB, the country’s powerful security 
agency, which was once headed by Putin. 


The lack of coordination is not unusual, he said. "There's an amazing 
adversarial relationship" among the Russian intelligence agencies, Alperovitch 
said. "We have seen them steal assets from one another, refuse to collaborate. 


They're all vying for power, to sell Putin on how good they are." 


The two crews have "superb operational tradecraft," he said. They often use 
previously unknown software bugs — known as “zero-day” vulnerabilities — to 
compromise applications. In the DNC's ease, the hackers constantly switched 
tactics to maintain a stealthy presence inside the network and used built-in 
Windows tools so that they didn't have to resort to malicious code that might 
trigger alerts. “They flew under the radar," Alperovitch said. 


The two groups have hacked government agencies, tech companies, defense 
contractors, energy and manufacturing firms, and universities in the United 
States, Canada and Europe as well as in Asia, he said. 


Cozy Bear, for instance, compromised the unclassified email systems of the 
White House, State Department and Joint Chiefs of Staff in 2014, Alperovitch 
said. 


"This is a sophisticated foreign intelligence service with a lot of time, a lot of 
resources, and is interested in targeting the U.S. political system," Henry said. 
He said the DNC was not engaged in a fair fight. "You've got ordinary citizens 
who are doing hand-to-hand combat with trained military officers," he said. 
"And that's an untenable situation." 


Russia has always been a formidable foe in cyberspace, but in the last two 
years "there's been a thousand-fold inerease in its espionage campaign against 
the West," said Alperovitch, who is also a senior fellow at the Atlantic Council. 
“They feel under siege." 
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Western sanctions, imposed after Russia's annexation of Crimea in Ukraine, 
have hurt the economy and led the government to increase its theft of 
intellectual property to limit the impact of import restrictions, he said. And 
Russia's growing isolation has increased the need for intelligence to 
understand and influence political decisions in other countries, he added. 


CrowdStrike is continuing the forensic investigation, DNC lawyer Sussmann 
said. ^But at this time, it appears that no financial information or sensitive 
employee, donor or voter information was accessed by the Russian attackers,” 
he said. 


The firm has installed special software on every computer and server in the 
network to detect any efforts by the Russian cyber spies to break in again. 
“When they get kicked out of the system," Henry predicted, *they're going to 
try to come back in." 


Tom Hamburger contributed to this report. 
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